@nekohayo opened this Issue on February 7th 2017

Let's say you're using Piwik through "WP-Piwik" on Wordpress, and your Wordpress website gets compromised... I would expect then to need to change the piwik tokens just in case the attackers got a hold of them.

From what I see in the Admin > Users area in piwik, there is no way to generate a new token for a user. There should be.

@tsteur commented on February 7th 2017 Owner

There would be a way via the UsersManager.regenerateTokenAuth API. Apart from this, could you log in as the user and regenerate the token in the UI?

@nekohayo commented on February 7th 2017

Apart from this, could you log in as the user and regenerate the token in the UI?

Well that's exactly what I tried doing, but there seems to be no button or editable field for this in "Admin > Users"... hence my bug report :)

@tsteur commented on February 7th 2017 Owner

When you are logged in, you should be able to do this in "Personal Settings". You need to be logged in as the user you want to reset

@nekohayo commented on February 7th 2017

In ?module=UsersManager&action=userSettings ? I don't see this at all, nor in ?module=API&action=listAllAPI (that 2nd page shows the token but doesn't allow changing it), nor in ?module=UsersManager&action=index... I can't find such a reset feature for my user, anywhere... I must be missing something obvious? I tried this on 2.16.x

@tsteur commented on February 7th 2017 Owner

Ah sorry, I assumed you are on Piwik 3.

In Piwik 2 a workaround is to change the password and a new token will be generated.

@nekohayo commented on February 7th 2017

...oh! I see. But then this prompts a security question, if you don't mind: I see now that the auth token indeed gets changed if you change to a different passphrase, however if you change the passphrase back to what it was, the auth token changes back to the previous one... which indicates that it actually is only a MD5 hash of the password. Uh oh.

Could you tell me if this has changed in 3.x, if the token auth is actually decoupled from the user's passphrase, or if it's still a hash of it? Because if it's still strongly associated with the password, it would seem to me like a vulnerability?

@tsteur commented on February 7th 2017 Owner

Yes, this was changed in Piwik 3

This Issue was closed on February 7th 2017
Powered by GitHub Issue Mirror